Plugging the gaps to improve healthcare cybersecurity

Posted: July 20, 2023 | Author: | Filed under: Uncategorized | Tags: , , , |Leave a comment

The UK’s health service turned 75 recently, and its IT infrastructure is starting to show its age. The challenge for cybersecurity professionals working in the sector is one felt by those across many verticals. It’s about mitigating risk even as digital transformation expands the cyber-attack surface. And doing so in an industry where the stakes for failure couldn’t be higher.

I spoke to some experts for a recent ISMSonline feature to find out more.

Raising the stakes

Ransomware represents probably the biggest single cyber threat to healthcare organisations (HCOs) today, whatever country they operate in. A recent report from EU agency ENISA revealed that ransomware accounts for over half (54%) of all cyber-threats targeting the sector, with 46% of all incidents aimed at stealing or leaking data. HCOs don’t just store lucrative personal, medical and financial data in prodigious amounts, they also have a low tolerance for ransomware-related outages.

“When another critical industry is attacked such as the electrical grid for example, power outages ensue, offices and factories shut down during the outage unless they have backup generators and an hour or two, or a day or two later in most cases power is restored, and business and daily life continues as normal,” Richard Staynings, Chief Security Strategist for UK healthcare security specialist Cylera, tells me.

“When healthcare is attacked, clinicians can no longer optimally care for the sick and dying. The industry has changed a lot since the days of Florence Nightingale and today our doctors and nurses are heavily reliant upon health IT and IoT systems such as medical devices to diagnose, monitor, and treat patients.”

In fact, a link between cyber-attacks and patient outcomes has already been established. Studies have shown that a correlation between mortality rates and cyber-attacks, with one report claiming a link between data breaches and heart attack fatalities.

Where are the biggest gaps?

There are so many security gaps that it’s difficult knowing where to start, Staynings says.

“Hospital networks were never designed with cybersecurity in mind so are flat and open access to anyone with credentials. Compare that to a bank or the MoD which have highly compartmentalised access and segmented networks. We are essentially trying to retrofit cybersecurity into healthcare but with limited resources and many other competing projects,” he adds.

“Another area of concern is third party risk. Healthcare uses thousands of vendors, suppliers and outsourcers who provide a wide variety of services necessary for hospitals and clinics to function. Yet Trusts do not adequately vet the security of these vendors or require ISO27001 certification or a SOC2 type attestation of security effectiveness. We have seen the impacts of vendor lapses in security with the 111 attack last year and many others.”

Staynings also points to insufficient staff training on security awareness – unforgivable at a time when most attacks still begin with phishing.

“Insisting on a year-round security awareness programme makes immense sense and probably represents ‘the biggest bang for the buck’ as far as spending on cybersecurity is concerned,” he argues. “Every NHS employee, consultant, contractor, and vendor should be trained, armed and ready to defend against cyberattacks. Currently however, they are not.”

Mohammad Waqas, CTO for Healthcare at Armis, tells me that IoT medical devices (IoMT) represent a critical risk, especially as security teams often don’t have sufficient visibility. A recent survey conducted by the vendor found that a third of NHS Trusts have no method of tracking IoT devices and 10% use manual processes or spreadsheets to do so.

“It’s a common saying within the cybersecurity community that you cannot protect what you cannot see. Complete visibility allows hospital security teams to better understand what devices are connected to their network, when and how they are being used and what are the risks associated with said devices,” he tells me.

“Understanding that context will allow the healthcare organisation to take action and remediate any security need.”

While HCOs might have their PCs locked down, that’s not usually the case with IoMT, Waqas argues.

“The proliferation of IoMT is driving innovation and ultimately improving delivery of care, however its adoption has rapidly enlarged the attack surface. What increases the risk is that existing medical devices on networks are generally running legacy operating systems that no longer receive security patches. These are prime targets for attackers and can be impacted during ransomware attacks,” he explains.

“It’s important to appropriately segment these devices to limit communication as much as possible. Without this, medical devices can very well become non-functional and thereby greatly disrupt patient care—sometimes for weeks. Encouragingly, more than two-thirds of NHS trusts mentioned cybersecurity of medical devices is currently a project on their roadmaps for the upcoming year.”

What’s the government doing?

The good news is that the government’s strategy for a more cyber resilient healthcare sector appears well thought out and fairly comprehensive. The challenge, though, will be implementing all of its recommendations. Staynings argues that a greying population, above-inflation price rises for drugs and equipment, and employee wages will all stretch the budget like never before.

“I would like to believe that this policy document is different from all the others which have come before it, but I can’t help thinking it’s just another excuse to rearrange the deckchairs on the Titanic. It all comes down to funding and the NHS continues to be chronically underfunded, perhaps more-so now that at any time in its history,” he concludes.

“So, while the government’s intent to build-up and expand the healthcare cybersecurity workforce is great in principle, in practice unless the NHS is prepared to adjust salary bands and pay market rates to attract and retain its cybersecurity staff, this initiative will likely fall flat on its face. It all comes down to funding and the will of the government to follow through and deliver on its promises—something that all British governments have a lousy record of.”

Leave a comment